SAAF Education Blog: General Data Protection Regulation - The Basics

General Data Protection Regulation - The Basics

By now, you should have heard about the General Data Protection Regulation (GDPR) and hopefully you’ve already begun the journey to ensure your school, academy or MAT is compliant. However, we know the GDPR is a complicated subject to get to grips with, so we’re going to break down the rules and steps you need to take to prepare for the regulation.

Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. You may not rely on this as legal advice.

GDPR – What is it?

Since April 2016 the GDPR has been in effect but all businesses were given two years to ensure they were compliant by 25th May 2018. The GDPR has been introduced to ensure all data is handled appropriately and that your customers, or pupils and their parents in the case of schools, have access to view the data you keep on them.

A lot of the principles of GDPR are similar to those in the current Data Protection Act, so if your school is already compliant with the current legislation, it should prove to be a good foundation to GDPR compliance. There are, however, new regulations and specific enhancements, so you will have to take on new processes and change some existing ones.

To help guide you through the process, the Information Commissioner’s Office (ICO) have created a check list to help make sure you are fully compliant in time.

Each school must assign a Data Controller and Data Protection Officer (DPO) who will be responsible for protecting the data. This will most likely be the School Business Manager or a Governor, but it can be outsourced to an external party if you prefer.

Multi-academy trusts will need one DPO which will look after every school within the trust.

Your Data Controllers will need to decide what data to collect based on information required for some returns to the LA/DfE. When doing this however, they should only share relevant information and ask themselves, “Is it necessary to share this?” and “Is the information needed?”

How to make sure your school, academy or MAT is compliant

You make sure that data is only accessible to those who need to see it.

Parents may ask the school which data is being held about their children, so it is always best to keep your students, and their parents, aware of the data you are recording. The Data Protection Officer should be able to provide any individual with their data when they ask for it.

Getting consent from an individual needs to be specific. If you have asked for consent for one situation, you will have to ask again for another. Consent is not a blanket basis, it must be specific, and you must make it clear which data you are collecting, and why, in advance.

GDPR for schools involves getting consent for your pupils, which means you will usually need to ask their parents for consent whenever you want to collect data. The GDPR will bring into effect special protection for children’s data, especially in the context of commercial internet services like social media. Currently, GDPR sets the age a child can give consent at 16, however, this may be lowered to 13 in the future. If you need consent for a child younger than this, you must then ask a person holding “parental responsibility” for consent.

Want to know more?

We hope this has helped make GDPR clearer for you. However, if you’re still confused and feel like you need more help, we can offer you just that.

On 7th March, we are holding a GDPR training session where our guest speaker, will talk through everything schools will need to know concerning GDPR, showing practical scenarios that apply to the education sector, and third parties that will make compliance much easier.